Warning: Permanently added 'ci-upstream-next-kasan-gce-4,10.128.0.3' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 47.540902] ================================================================== [ 47.548401] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0 [ 47.555409] Write of size 8 at addr ffff8801cd813688 by task syzkaller125515/2988 [ 47.563019] [ 47.564652] CPU: 1 PID: 2988 Comm: syzkaller125515 Not tainted 4.14.0-rc2-next-20170928+ #31 [ 47.573224] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.582570] Call Trace: [ 47.585157] dump_stack+0x194/0x257 [ 47.588787] ? arch_local_irq_restore+0x53/0x53 [ 47.593450] ? show_regs_print_info+0x65/0x65 [ 47.597953] ? __internal_add_timer+0x275/0x2d0 [ 47.602622] print_address_description+0x73/0x250 [ 47.607467] ? __internal_add_timer+0x275/0x2d0 [ 47.612117] kasan_report+0x25b/0x340 [ 47.615903] __asan_report_store8_noabort+0x17/0x20 [ 47.620898] __internal_add_timer+0x275/0x2d0 [ 47.625371] ? calc_wheel_index+0x200/0x200 [ 47.629696] mod_timer+0x622/0x15b0 [ 47.633305] ? mod_timer_pending+0x14e0/0x14e0 [ 47.637869] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 47.642877] ? trace_hardirqs_on+0xd/0x10 [ 47.647095] ? _crng_backtrack_protect+0xd9/0x130 [ 47.651919] ? __lock_is_held+0xbc/0x140 [ 47.655955] ? __lockdep_init_map+0xe4/0x650 [ 47.660340] ? lockdep_init_map+0x3d/0x70 [ 47.664461] ? rcu_read_lock_sched_held+0x108/0x120 [ 47.669461] ? init_timer_key+0x126/0x3b0 [ 47.673585] ? try_to_del_timer_sync+0x120/0x120 [ 47.678322] ? round_jiffies_up+0xce/0x100 [ 47.682531] ? __round_jiffies_up_relative+0x150/0x150 [ 47.687781] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 47.692697] __tun_chr_ioctl+0x1beb/0x3e40 [ 47.696916] ? tun_chr_read_iter+0x1e0/0x1e0 [ 47.701304] ? lock_downgrade+0x990/0x990 [ 47.705449] ? handle_mm_fault+0x410/0x8d0 [ 47.709668] ? __do_page_fault+0x31e/0xd60 [ 47.713899] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 47.719757] ? up_read+0x1a/0x40 [ 47.723109] ? tun_chr_compat_ioctl+0x30/0x30 [ 47.727575] tun_chr_ioctl+0x2a/0x40 [ 47.731263] ? tun_chr_ioctl+0x2a/0x40 [ 47.735127] do_vfs_ioctl+0x1b1/0x1530 [ 47.738987] ? _cond_resched+0x14/0x30 [ 47.742855] ? ioctl_preallocate+0x2b0/0x2b0 [ 47.747240] ? selinux_capable+0x40/0x40 [ 47.751274] ? putname+0xf3/0x130 [ 47.754703] ? do_sys_open+0x320/0x6d0 [ 47.758573] ? security_file_ioctl+0x89/0xb0 [ 47.762959] SyS_ioctl+0x8f/0xc0 [ 47.766304] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 47.771028] RIP: 0033:0x443db9 [ 47.774192] RSP: 002b:00007ffd4c89dca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 47.781882] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9 [ 47.789134] RDX: 0000000020c63fd8 RSI: 00000000400454ca RDI: 0000000000000004 [ 47.796378] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 47.803621] R10: 0000000000000000 R11: 0000000000000206 R12: b95c938f617463e2 [ 47.810952] R13: 74656e2f7665642f R14: 0000000000000000 R15: 0000000000000000 [ 47.818214] [ 47.819814] Allocated by task 2988: [ 47.823414] save_stack_trace+0x16/0x20 [ 47.827360] save_stack+0x43/0xd0 [ 47.830782] kasan_kmalloc+0xad/0xe0 [ 47.834465] __kmalloc_node+0x47/0x70 [ 47.838247] kvmalloc_node+0x64/0xd0 [ 47.841933] alloc_netdev_mqs+0x16d/0xed0 [ 47.846054] __tun_chr_ioctl+0x1386/0x3e40 [ 47.850258] tun_chr_ioctl+0x2a/0x40 [ 47.853943] do_vfs_ioctl+0x1b1/0x1530 [ 47.857799] SyS_ioctl+0x8f/0xc0 [ 47.861140] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 47.865865] [ 47.867465] Freed by task 2988: [ 47.870721] save_stack_trace+0x16/0x20 [ 47.874670] save_stack+0x43/0xd0 [ 47.878092] kasan_slab_free+0x71/0xc0 [ 47.881949] kfree+0xca/0x250 [ 47.885025] kvfree+0x36/0x60 [ 47.888101] free_netdev+0x2cf/0x360 [ 47.891784] __tun_chr_ioctl+0x2df6/0x3e40 [ 47.895986] tun_chr_ioctl+0x2a/0x40 [ 47.899687] do_vfs_ioctl+0x1b1/0x1530 [ 47.903545] SyS_ioctl+0x8f/0xc0 [ 47.906902] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 47.912236] [ 47.913838] The buggy address belongs to the object at ffff8801cd810280 [ 47.913838] which belongs to the cache kmalloc-16384 of size 16384 [ 47.926826] The buggy address is located 13320 bytes inside of [ 47.926826] 16384-byte region [ffff8801cd810280, ffff8801cd814280) [ 47.939027] The buggy address belongs to the page: [ 47.943928] page:ffffea0007360400 count:1 mapcount:0 mapping:ffff8801cd810280 index:0x0 compound_mapcount: 0 [ 47.953875] flags: 0x200000000008100(slab|head) [ 47.958528] raw: 0200000000008100 ffff8801cd810280 0000000000000000 0000000100000001 [ 47.966381] raw: ffffea0007548220 ffffea000738ee20 ffff8801dac02200 0000000000000000 [ 47.974239] page dumped because: kasan: bad access detected [ 47.979919] [ 47.981517] Memory state around the buggy address: [ 47.986415] ffff8801cd813580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.993752] ffff8801cd813600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.001082] >ffff8801cd813680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.008409] ^ [ 48.012004] ffff8801cd813700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.019334] ffff8801cd813780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.026662] ================================================================== [ 48.034000] Disabling lock debugging due to kernel taint [ 48.039423] Kernel panic - not syncing: panic_on_warn set ... [ 48.039423] [ 48.046752] CPU: 1 PID: 2988 Comm: syzkaller125515 Tainted: G B 4.14.0-rc2-next-20170928+ #31 [ 48.056505] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.065832] Call Trace: [ 48.068392] dump_stack+0x194/0x257 [ 48.071986] ? arch_local_irq_restore+0x53/0x53 [ 48.076623] ? vprintk_default+0x28/0x30 [ 48.080654] ? __internal_add_timer+0x1e0/0x2d0 [ 48.085291] panic+0x1e4/0x417 [ 48.088450] ? __warn+0x1d9/0x1d9 [ 48.091876] ? __internal_add_timer+0x275/0x2d0 [ 48.096510] kasan_end_report+0x50/0x50 [ 48.100450] kasan_report+0x144/0x340 [ 48.104217] __asan_report_store8_noabort+0x17/0x20 [ 48.109197] __internal_add_timer+0x275/0x2d0 [ 48.113673] ? calc_wheel_index+0x200/0x200 [ 48.117966] mod_timer+0x622/0x15b0 [ 48.121564] ? mod_timer_pending+0x14e0/0x14e0 [ 48.126120] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 48.131102] ? trace_hardirqs_on+0xd/0x10 [ 48.135273] ? _crng_backtrack_protect+0xd9/0x130 [ 48.140087] ? __lock_is_held+0xbc/0x140 [ 48.144116] ? __lockdep_init_map+0xe4/0x650 [ 48.148500] ? lockdep_init_map+0x3d/0x70 [ 48.152614] ? rcu_read_lock_sched_held+0x108/0x120 [ 48.157597] ? init_timer_key+0x126/0x3b0 [ 48.161710] ? try_to_del_timer_sync+0x120/0x120 [ 48.166435] ? round_jiffies_up+0xce/0x100 [ 48.170636] ? __round_jiffies_up_relative+0x150/0x150 [ 48.175880] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 48.180790] __tun_chr_ioctl+0x1beb/0x3e40 [ 48.184997] ? tun_chr_read_iter+0x1e0/0x1e0 [ 48.189380] ? lock_downgrade+0x990/0x990 [ 48.193507] ? handle_mm_fault+0x410/0x8d0 [ 48.197714] ? __do_page_fault+0x31e/0xd60 [ 48.201922] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 48.207772] ? up_read+0x1a/0x40 [ 48.211108] ? tun_chr_compat_ioctl+0x30/0x30 [ 48.215569] tun_chr_ioctl+0x2a/0x40 [ 48.219249] ? tun_chr_ioctl+0x2a/0x40 [ 48.223103] do_vfs_ioctl+0x1b1/0x1530 [ 48.226954] ? _cond_resched+0x14/0x30 [ 48.230809] ? ioctl_preallocate+0x2b0/0x2b0 [ 48.235184] ? selinux_capable+0x40/0x40 [ 48.239212] ? putname+0xf3/0x130 [ 48.242633] ? do_sys_open+0x320/0x6d0 [ 48.246492] ? security_file_ioctl+0x89/0xb0 [ 48.250867] SyS_ioctl+0x8f/0xc0 [ 48.254201] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 48.258920] RIP: 0033:0x443db9 [ 48.262075] RSP: 002b:00007ffd4c89dca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 48.269746] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9 [ 48.276984] RDX: 0000000020c63fd8 RSI: 00000000400454ca RDI: 0000000000000004 [ 48.284219] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 48.291462] R10: 0000000000000000 R11: 0000000000000206 R12: b95c938f617463e2 [ 48.298696] R13: 74656e2f7665642f R14: 0000000000000000 R15: 0000000000000000 [ 48.305977] Dumping ftrace buffer: [ 48.309492] (ftrace buffer empty) [ 48.313169] Kernel Offset: disabled [ 48.316766] Rebooting in 86400 seconds..